From cf4b0540c9ae51048cee89aefada0126827bac5a Mon Sep 17 00:00:00 2001
From: Bob Relyea <rrelyea@redhat.com>
Date: Wed, 8 Mar 2023 15:21:28 -0800
Subject: [PATCH 1/2] Resolves: rhbz#2176392  CVE-2023-0767 nss: Mozilla:
 Arbitrary memory write via PKCS 12 in NSS by rebasing to nss 3.88.1, which is
 already released in f37, f36, and rawhide.

---
 .gitignore | 1 +
 nss.spec   | 7 +++++--
 sources    | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 73aa652..e89f80b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -77,3 +77,4 @@ TestUser51.cert
 /nspr-4.35.tar.gz
 /nss-3.85.tar.gz
 /nss-3.87.tar.gz
+/nss-3.88.1.tar.gz
diff --git a/nss.spec b/nss.spec
index ff7b7d4..8d4c9a6 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,5 +1,5 @@
 %global nspr_version 4.35.0
-%global nss_version 3.87.0
+%global nss_version 3.88.1
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
@@ -7,7 +7,7 @@
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
-%global nspr_release %[%baserelease+2]
+%global nspr_release %[%baserelease+3]
 # only need to update this as we added new
 # algorithms under nss policy control
 %global crypto_policies_version 20210118
@@ -1094,6 +1094,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Fri Feb 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.88.1-1
+- Update NSS to 3.88.1
+
 * Tue Jan 24 2023 Bob Relyea - 3.87.0-2
 - Fix rebuild errors
 
diff --git a/sources b/sources
index 48fb43b..d91999e 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
 SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f
-SHA512 (nss-3.87.tar.gz) = 4ec7b94e537df109638b821f3a7e3b7bf31d89c3739a6e4c85cad4fab876390ae482971d6f66198818400f467661e86f39dc1d2a4a88077fd81e3a0b7ed64110
+SHA512 (nss-3.88.1.tar.gz) = d15289803a4c3caa1b7a8872b761a95b4f571688c8b8ffaf2a1478e032a356fbcf8a9239ebe1777561503329f63dd237384e1d8af9ca70fb48b40e70954b455a

From 5dbb40f0054d69a72a3d36229bc671e81088c394 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Fri, 10 Mar 2023 12:37:17 +0100
Subject: [PATCH 2/2] Update NSS to 3.89.0 & remove unused patch

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
 .gitignore                           |  1 +
 nss-3.85-fedora-rebuild-errors.patch | 24 ------------------------
 nss.spec                             | 12 ++++++------
 sources                              |  2 +-
 4 files changed, 8 insertions(+), 31 deletions(-)
 delete mode 100644 nss-3.85-fedora-rebuild-errors.patch

diff --git a/.gitignore b/.gitignore
index e89f80b..36c04a5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -78,3 +78,4 @@ TestUser51.cert
 /nss-3.85.tar.gz
 /nss-3.87.tar.gz
 /nss-3.88.1.tar.gz
+/nss-3.89.tar.gz
diff --git a/nss-3.85-fedora-rebuild-errors.patch b/nss-3.85-fedora-rebuild-errors.patch
deleted file mode 100644
index 266a394..0000000
--- a/nss-3.85-fedora-rebuild-errors.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up ./lib/ssl/ssl3exthandle.c.rebuild_errors ./lib/ssl/ssl3exthandle.c
---- ./lib/ssl/ssl3exthandle.c.rebuild_errors	2023-01-24 09:26:36.520183263 -0800
-+++ ./lib/ssl/ssl3exthandle.c	2023-01-24 09:27:07.715379228 -0800
-@@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData *
-  * Clients sends a filled in session ticket if one is available, and otherwise
-  * sends an empty ticket.  Servers always send empty tickets.
-  */
--PRInt32
-+SECStatus
- ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
-                                 sslBuffer *buf, PRBool *added)
- {
-diff -up ./lib/ssl/sslsnce.c.rebuild_errors ./lib/ssl/sslsnce.c
---- ./lib/ssl/sslsnce.c.rebuild_errors	2023-01-24 09:44:52.714977837 -0800
-+++ ./lib/ssl/sslsnce.c	2023-01-24 09:46:20.993510435 -0800
-@@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKe
-     return SECSuccess;
- }
- 
--static PRBool
-+static SECStatus
- ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName,
-                             PK11SymKey **aesKey, PK11SymKey **macKey);
- 
diff --git a/nss.spec b/nss.spec
index 8d4c9a6..5da7af5 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,13 +1,13 @@
 %global nspr_version 4.35.0
-%global nss_version 3.88.1
+%global nss_version 3.89.0
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 2
+%global baserelease 1
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
-%global nspr_release %[%baserelease+3]
+%global nspr_release %[%baserelease+4]
 # only need to update this as we added new
 # algorithms under nss policy control
 %global crypto_policies_version 20210118
@@ -134,9 +134,6 @@ Patch40:          nss-no-dbm-man-page.patch
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1774659
 Patch51:	nss-3.79-dbtool.patch
 
-# fix rebuilds error
-Patch52:          nss-3.85-fedora-rebuild-errors.patch
-
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
 
@@ -1094,6 +1091,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Fri Mar 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
+- Update NSS to 3.89.0
+
 * Fri Feb 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.88.1-1
 - Update NSS to 3.88.1
 
diff --git a/sources b/sources
index d91999e..1e9ca85 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
 SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f
-SHA512 (nss-3.88.1.tar.gz) = d15289803a4c3caa1b7a8872b761a95b4f571688c8b8ffaf2a1478e032a356fbcf8a9239ebe1777561503329f63dd237384e1d8af9ca70fb48b40e70954b455a
+SHA512 (nss-3.89.tar.gz) = 1db06d4575f2c16d2a0629007981211e714f99c014c0a6256dd33d0caf8c809ba8d5be204d018f9d1cc99b9fcd055ac1fb99b399486ed43c9cf3f55f2747de82